From 0c7f2affaaa390c0f362c13eb63dd125c54c4518 Mon Sep 17 00:00:00 2001 From: jzm369 Date: Fri, 19 Feb 2021 14:23:28 +0800 Subject: [PATCH] fix CVE-2020-14347 CVE-2020-14360 CVE-2020-25712 (cherry picked from commit 9dab254e9c9b3203479b4f16610379db31c36c36) --- backport-CVE-2020-14347.patch | 32 ++++++++ backport-CVE-2020-14360.patch | 136 ++++++++++++++++++++++++++++++++++ backport-CVE-2020-25712.patch | 104 ++++++++++++++++++++++++++ xorg-x11-server.spec | 11 ++- 4 files changed, 282 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2020-14347.patch create mode 100644 backport-CVE-2020-14360.patch create mode 100644 backport-CVE-2020-25712.patch diff --git a/backport-CVE-2020-14347.patch b/backport-CVE-2020-14347.patch new file mode 100644 index 0000000..078c741 --- /dev/null +++ b/backport-CVE-2020-14347.patch @@ -0,0 +1,32 @@ +From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Sat, 25 Jul 2020 19:33:50 +0200 +Subject: [PATCH] fix for ZDI-11426 + +Avoid leaking un-initalized memory to clients by zeroing the +whole pixmap on initial allocation. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +Reviewed-by: Alan Coopersmith +--- + dix/pixmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dix/pixmap.c b/dix/pixmap.c +index 1186d7dbbf..5a0146bbb6 100644 +--- a/dix/pixmap.c ++++ b/dix/pixmap.c +@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) + if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) + return NullPixmap; + +- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); ++ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); + if (!pPixmap) + return NullPixmap; + +-- +GitLab \ No newline at end of file diff --git a/backport-CVE-2020-14360.patch b/backport-CVE-2020-14360.patch new file mode 100644 index 0000000..60ec435 --- /dev/null +++ b/backport-CVE-2020-14360.patch @@ -0,0 +1,136 @@ +From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 12 Nov 2020 19:15:07 +0100 +Subject: [PATCH] Check SetMap request length carefully. + +Avoid out of bounds memory accesses on too short request. + +ZDI-CAN 11572 / CVE-2020-14360 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb + +reason:CVE-2020-14360 + +Conflict:NA +Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b + +--- + xkb/xkb.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 92 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f162e8d..779cdfd 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2382,6 +2382,93 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi, + return (char *) wire; + } + ++#define _add_check_len(new) \ ++ if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \ ++ else len += new ++ ++/** ++ * Check the length of the SetMap request ++ */ ++static int ++_XkbSetMapCheckLength(xkbSetMapReq *req) ++{ ++ size_t len = sz_xkbSetMapReq, req_len = req->length << 2; ++ xkbKeyTypeWireDesc *keytype; ++ xkbSymMapWireDesc *symmap; ++ BOOL preserve; ++ int i, map_count, nSyms; ++ ++ if (req_len < len) ++ goto bad; ++ /* types */ ++ if (req->present & XkbKeyTypesMask) { ++ keytype = (xkbKeyTypeWireDesc *)(req + 1); ++ for (i = 0; i < req->nTypes; i++) { ++ _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc)); ++ if (req->flags & XkbSetMapResizeTypes) { ++ _add_check_len(keytype->nMapEntries ++ * sz_xkbKTSetMapEntryWireDesc); ++ preserve = keytype->preserve; ++ map_count = keytype->nMapEntries; ++ if (preserve) { ++ _add_check_len(map_count * sz_xkbModsWireDesc); ++ } ++ keytype += 1; ++ keytype = (xkbKeyTypeWireDesc *) ++ ((xkbKTSetMapEntryWireDesc *)keytype + map_count); ++ if (preserve) ++ keytype = (xkbKeyTypeWireDesc *) ++ ((xkbModsWireDesc *)keytype + map_count); ++ } ++ } ++ } ++ /* syms */ ++ if (req->present & XkbKeySymsMask) { ++ symmap = (xkbSymMapWireDesc *)((char *)req + len); ++ for (i = 0; i < req->nKeySyms; i++) { ++ _add_check_len(sz_xkbSymMapWireDesc); ++ nSyms = symmap->nSyms; ++ _add_check_len(nSyms*sizeof(CARD32)); ++ symmap += 1; ++ symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms); ++ } ++ } ++ /* actions */ ++ if (req->present & XkbKeyActionsMask) { ++ _add_check_len(req->totalActs * sz_xkbActionWireDesc ++ + XkbPaddedSize(req->nKeyActs)); ++ } ++ /* behaviours */ ++ if (req->present & XkbKeyBehaviorsMask) { ++ _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc); ++ } ++ /* vmods */ ++ if (req->present & XkbVirtualModsMask) { ++ _add_check_len(XkbPaddedSize(Ones(req->virtualMods))); ++ } ++ /* explicit */ ++ if (req->present & XkbExplicitComponentsMask) { ++ /* two bytes per non-zero explicit componen */ ++ _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16))); ++ } ++ /* modmap */ ++ if (req->present & XkbModifierMapMask) { ++ /* two bytes per non-zero modmap component */ ++ _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16))); ++ } ++ /* vmodmap */ ++ if (req->present & XkbVirtualModMapMask) { ++ _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc); ++ } ++ if (len == req_len) ++ return Success; ++bad: ++ ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n", ++ len, req_len); ++ return BadLength; ++} ++ ++ + /** + * Check if the given request can be applied to the given device but don't + * actually do anything.. +@@ -2639,6 +2726,11 @@ ProcXkbSetMap(ClientPtr client) + CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess); + CHK_MASK_LEGAL(0x01, stuff->present, XkbAllMapComponentsMask); + ++ /* first verify the request length carefully */ ++ rc = _XkbSetMapCheckLength(stuff); ++ if (rc != Success) ++ return rc; ++ + tmp = (char *) &stuff[1]; + + /* Check if we can to the SetMap on the requested device. If this +-- +2.19.1 + diff --git a/backport-CVE-2020-25712.patch b/backport-CVE-2020-25712.patch new file mode 100644 index 0000000..82459e2 --- /dev/null +++ b/backport-CVE-2020-25712.patch @@ -0,0 +1,104 @@ +From 87c64fc5b0db9f62f4e361444f4b60501ebf67b9 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Sun, 11 Oct 2020 17:05:09 +0200 +Subject: [PATCH] Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap + overflows + +ZDI-CAN 11389 / CVE-2020-25712 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +reason:Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap overflows + +Conflict:NA +Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9 + +Signed-off-by: Matthieu Herrb +--- + xkb/xkb.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 8e016cd74..f54cc97f8 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -6536,7 +6536,9 @@ SetDeviceIndicators(char *wire, + unsigned changed, + int num, + int *status_rtrn, +- ClientPtr client, xkbExtensionDeviceNotify * ev) ++ ClientPtr client, ++ xkbExtensionDeviceNotify * ev, ++ xkbSetDeviceInfoReq * stuff) + { + xkbDeviceLedsWireDesc *ledWire; + int i; +@@ -6557,6 +6559,11 @@ SetDeviceIndicators(char *wire, + xkbIndicatorMapWireDesc *mapWire; + XkbSrvLedInfoPtr sli; + ++ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) ledWire; ++ } ++ + namec = mapc = statec = 0; + sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID, + XkbXI_IndicatorMapsMask); +@@ -6575,6 +6582,10 @@ SetDeviceIndicators(char *wire, + memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom)); + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { + if (ledWire->namesPresent & bit) { ++ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) atomWire; ++ } + sli->names[n] = (Atom) *atomWire; + if (sli->names[n] == None) + ledWire->namesPresent &= ~bit; +@@ -6592,6 +6603,10 @@ SetDeviceIndicators(char *wire, + if (ledWire->mapsPresent) { + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { + if (ledWire->mapsPresent & bit) { ++ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) mapWire; ++ } + sli->maps[n].flags = mapWire->flags; + sli->maps[n].which_groups = mapWire->whichGroups; + sli->maps[n].groups = mapWire->groups; +@@ -6671,7 +6686,7 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + ed.deviceID = dev->id; + wire = (char *) &stuff[1]; + if (stuff->change & XkbXI_ButtonActionsMask) { +- int nBtns, sz, i; ++ int nBtns, sz, i; + XkbAction *acts; + DeviceIntPtr kbd; + +@@ -6683,7 +6698,11 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + return BadAlloc; + dev->button->xkb_acts = acts; + } ++ if (stuff->firstBtn + stuff->nBtns > nBtns) ++ return BadValue; + sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); ++ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) ++ return BadLength; + memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz); + wire += sz; + ed.reason |= XkbXI_ButtonActionsMask; +@@ -6704,7 +6723,8 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + int status = Success; + + wire = SetDeviceIndicators(wire, dev, stuff->change, +- stuff->nDeviceLedFBs, &status, client, &ed); ++ stuff->nDeviceLedFBs, &status, client, &ed, ++ stuff); + if (status != Success) + return status; + } +-- +GitLab + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 9d5d7b5..146851c 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.8 -Release: 3 +Release: 4 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -82,6 +82,9 @@ Patch0030: CVE-2020-14346.patch Patch0031: CVE-2020-14361.patch Patch0032: CVE-2020-14362.patch Patch0033: CVE-2020-14345.patch +Patch0034: backport-CVE-2020-25712.patch +Patch0035: backport-CVE-2020-14360.patch +Patch0036: backport-CVE-2020-14347.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -324,6 +327,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_libdir}/xorg/protocol.txt %changelog +* Fri Feb 19 2020 jinzhimin - 1.20.8-4 +- Type:CVE +- Id:CVE-2020-14347 CVE-2020-14360 CVE-2020-25712 +- SUG:NA +- DESC:fix CVE-2020-14347 CVE-2020-14360 CVE-2020-25712 + * Wed Dec 09 2020 orange-snn - 1.20.8-3 - Type:CVE - Id:CVE-2020-14345 -- Gitee